Designing the future identity: authentication and authorization through self-sovereign identity Valentin Gerard Designing the future identity: authentication and authorization through self-sovereign identity Master’s Thesis in Computer Science EIT Digital MSc Programme Cloud Computing and Services Parallel and Distributed Systems group Faculty of Electrical Engineering, Mathematics, and Computer Science Delft University of Technology Valentin Gerard 21st August 2019 Author Valentin Gerard Title Designing the future identity: authentication and authorization through self-sovereign identity MSc presentation 30th August 2019 Graduation Committee Prof dr. ir. D. H. J. Epema, Delft University of Technology Dr.ir. J.A. Pouwelse Delft, University of Technology Dr. L. Hartmann Delft, University of Technology F. Rousee, Orange Business Services Abstract The apparition of the Internet was a revolution that allowed to connect people all around the world. It was a disruptive technology that helped to shape the mod- ern society as we know it today. However, to trust a person we interact with but we are not able to see is difficult. In order to trust people in this huge network, different digital identity models have been built to attempt to authenticate its users. Still, as the technology and our use of it evolved, the complexity of digital identity increased and problems started to appear. The two main problems are the aggreg- ation of personal information in the databases of powerful IT companies and the user experience that is more complicated than it should be. Those two problems are linked and are caused by identity models that were not designed in a user- centric approach. Each organization uses its own identity system to authenticate their users, which causes the fragmentation of the user’s digital identity that have to register and create identity for all the organizations he is interacting with. Self-sovereign identity is an emerging identity model that makes use of distrib- uted ledger technologies and cryptography to solve these problems. The goal of this model is to return digital identities in the hand of users by placing them at the center of the model. Unifying all their personal information under one identity would greatly improve their experience and help them to have a better control on how it is used by the organizations they’re interacting with. In our first research question, we first examine if the self-sovereign architecture can provide an identity that can be trusted by people and organizations alike. We found that the trust that we can accord to this model is highly related to our capacity to safely manage the different cryptographic keys that are used to secure wallets where user’s inform- ation is stored and to secure the communication channels between the different identity owners. The storage of these keys is the subject of our second research question. To understand better the mechanisms, we implement a prototype using the Hyperledger Indy blockchain to discover how these keys and the credentials as- sociated to the digital identity are stored and managed in this ecosystem. We then use the prototype to authenticate a user and make use of its credentials to authorize or deny the access to specific resources on the system to make the link with identity and access management in our third research question. iv Preface Since my first encounter with the Internet I have been fascinated by the fact that you can instantly get almost any information from all over the world from anywhere as long as you are connected to the network. After high school, I started a general training in web professions where I learned mostly about the surface or the front- end as we call it in the field. To get the big picture I understood that I had to study computer science more in depth. That’s how I ended up enrolling for the EIT Digital MSc Programme ”Cloud Computing and Services” master, which as a bonus, gave me the possibility to travel and meet many people as well as opening the door to new opportunities. There, one specific subject got my interest. The simple idea that we can use and share a huge amount of resources through the very same network I discovered years ago to solve the most complex problems made me passionate about distributed systems. As a result, the complex problem I decided to work on for this thesis is digital identity. In my point of view, this subject is central to many others and will unlock new opportunities to link physical and digital worlds for a better future as long as it is designed for individuals first. I was hired as an intern in ’Orange Application for Business’, a French company with a cybersecurity department to work on this subject. My goal was to explore the digital identity subject and to make a link with recent advancements in blockchain technology to design a service we could build on it. That’s how I started designing a self-sovereign identity proof-of-concept where is it possible to hold, issue and verify credentials in a secure way and where users’ privacy is respected. I would like to thank my colleagues from Orange Application for Business for welcoming me in their office and giving me the opportunity to work on this project. I would also like to thank my professors at TU Delft for their teaching. I extend my gratitude to my family which is with me since the very beginning, my oldest friends as well as the ones I met on my journey, the teachers which passed on their knowledge to me and to many other students. Valentin Gerard Rennes, France 21st August 2019 v vi Contents Preface v 1 Introduction 1 1.1 Problem statement . 2 1.2 Research approach . 3 1.3 Thesis outline and Contributions . 4 2 Concepts of self-sovereign identity 5 2.1 Evolution of digital identity . 6 2.2 Self-sovereign Identity principles . 8 2.3 Self-sovereign identity’s architecture . 9 2.3.1 Decentralized Public Key Infrastructure . 9 2.3.2 Decentralized identifiers . 10 2.3.3 Associated protocols specifications . 14 2.4 Verifiable credentials . 16 2.4.1 Verifiable credentials environment . 16 2.4.2 Data model . 18 2.4.3 Format . 19 2.4.4 Verification . 19 2.5 Existing self-sovereign identity solutions . 21 2.5.1 Sovrin (Hyperledger Indy) . 21 2.5.2 uPort (Ethereum) . 21 2.5.3 TrustChain (IPv8 protocol) . 22 2.6 Overcome the barriers to adoption . 22 2.6.1 Analysis of the macro-environmental factors . 22 2.6.2 Self-sovereign identity evaluation . 24 3 Design and implementation of a self-sovereign identity agent 27 3.1 Design goals . 27 3.2 Architecture overview . 28 3.3 Agents to host identity wallets . 29 3.3.1 Agent categories . 30 3.3.2 Agent storage . 31 vii 3.3.3 Authentication to agent . 32 3.3.4 Key management . 33 3.4 Agents implementation in educational environment . 34 3.4.1 Agent deployment . 35 3.4.2 Interface . 36 3.4.3 Authentication via Mobile Connect . 36 3.4.4 Agent-to-agent protocol . 37 3.5 General remarks . 39 3.5.1 Note on trust . 39 3.5.2 Note on security . 40 3.5.3 Note on decentralization . 43 4 Credential based access management 45 4.1 Identity and Access Management . 45 4.1.1 Access control methods . 46 4.1.2 Credential based access management . 47 4.2 Agent plugin description . 47 4.2.1 Academic platform ecosystem . 47 4.2.2 Credential’s categories and use cases . 48 4.3 Plugin integration . 49 4.3.1 Architecture . 49 4.3.2 Different access level . 50 4.4 Performance results . 52 5 Conclusions and Future Work 57 5.1 Conclusions . 57 5.2 Future Work . 59 6 Appendix 65 viii Chapter 1 Introduction Trust has always been an important part of human interactions. When communities grew up and could no longer rely on their proximity[1], men invented ways to provide trust in larger ecosystems where most of the people do not know each other. It has often been done through the issuance of certificates on which we added seals to authenticate their issuer and used encryption methods to ensure the message could not be read by anyone. It did not change much since. However, to keep up with the Internet revolution, techniques had to evolve and they are now much more complex than before[2], although we are still using paper and plastic cards in the physical world. We are now using cryptography to answer our need to provide trust in our online interactions. When you think about it, credentials are everywhere. We get our first one, the birth certificate, very early and we are collecting more of them all along our life. However, as stated before, they are mostly issued in a paper format or by using plastic cards and we have no standard way to assert their authenticity online. Or to be more accurate, no good way to do it. In existing architecture, we have to rely on third parties to keep our identities on our behalf. The biggest issue with this model is that our identities are locked in the service provider server and we have no way to reuse them for other services. We have to create a fragment of our identities for each service that we have to protect with multiple passwords. This leads to security and privacy issues as all these fragments become possible target for attackers. In the last 20 years we started to see multiple initiatives to build a unique and persistent user-centric identity that would allow the secure exchange of credentials online like the Augmented Social Network[3] or more recently OpenID[4].